Support SPDX identifiers

Question

Support SPDX identifiers

joshfriend opened this issue 4 years ago · comments

I'd like to be able to only allowlist/blocklist specific licenses by their SPDX identifiers (e.g. Apache-2.0), as opposed to the various forms that pop up in packages:

apache 2.0
apache software 2.0
apache license 2.0
apache software license 2.0
the idkapache software license 2.0

Full list of SPDX identifiers is at: https://spdx.org/licenses/

This project has a similar mapping of frequently used identifiers to their proper SPDX identifier:

https://github.com/NFJones/pipoe/blob/master/pipoe/licenses.py

Of course, this only gets you so far as some projects have ambiguous metadata that doesn't explicitly specify the license version (like dateutil for example). Perhaps this could be part of the normal/cautious/paranoid checking levels where "normal" might map "apache" to any version, but "paranoid" would not match unless it included a version number.

Josh Friend · Answer 1 · Sat Apr 03 2021 02:27:10 GMT+0800 (China Standard Time)

I believe this would eliminate the need for #53 as well?

Olivier Chédru · Answer 2 · Sat Apr 03 2021 18:34:25 GMT+0800 (China Standard Time)

I did not know about SPDX identifiers, and this looks like a great idea!

Olivier Chédru · Answer 3 · Sat Apr 03 2021 18:34:50 GMT+0800 (China Standard Time)

I believe this would eliminate the need for #53 as well?

Indeed

Joseph Hale, MS SE · Answer 4 · Thu Dec 29 2022 04:55:19 GMT+0800 (China Standard Time)

This request seems even more valuable now that SPDX is the de-facto standard for licensing information.